minio/signature-v4-parser_test.go

441 lines
14 KiB
Go
Raw Normal View History

/*
* Minio Cloud Storage, (C) 2016 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package main
import (
"strings"
"testing"
"time"
)
// generates credential string from its fields.
func generateCredentialStr(accessKey, date, region, service, requestVersion string) string {
return "Credential=" + strings.Join([]string{
accessKey,
date,
region,
service,
requestVersion}, "/")
}
// generate CredentialHeader from its fields.
func generateCredentials(t *testing.T, accessKey string, date string, region, service, requestVersion string) credentialHeader {
cred := credentialHeader{
accessKey: accessKey,
}
parsedDate, err := time.Parse(yyyymmdd, date)
if err != nil {
t.Fatalf("Failed to parse date")
}
cred.scope.date = parsedDate
cred.scope.region = region
cred.scope.service = service
cred.scope.request = requestVersion
return cred
}
// validates the credential fields against the expected credential.
func validateCredentialfields(t *testing.T, testNum int, expectedCredentials credentialHeader, actualCredential credentialHeader) {
if expectedCredentials.accessKey != actualCredential.accessKey {
t.Errorf("Test %d: AccessKey mismatch: Expected \"%s\", got \"%s\"", testNum, expectedCredentials.accessKey, actualCredential.accessKey)
}
if expectedCredentials.scope.date != actualCredential.scope.date {
t.Errorf("Test %d: Date mismatch:Expected \"%s\", got \"%s\"", testNum, expectedCredentials.scope.date, actualCredential.scope.date)
}
if expectedCredentials.scope.region != actualCredential.scope.region {
t.Errorf("Test %d: region mismatch:Expected \"%s\", got \"%s\"", testNum, expectedCredentials.scope.region, actualCredential.scope.region)
}
if expectedCredentials.scope.service != actualCredential.scope.service {
t.Errorf("Test %d: service mismatch:Expected \"%s\", got \"%s\"", testNum, expectedCredentials.scope.service, actualCredential.scope.service)
}
if expectedCredentials.scope.request != actualCredential.scope.request {
t.Errorf("Test %d: scope request mismatch:Expected \"%s\", got \"%s\"", testNum, expectedCredentials.scope.request, actualCredential.scope.request)
}
}
// TestParseCredentialHeader - validates the format validator and extractor for the Credential header in an aws v4 request.
// A valid format of creadential should be of the following format.
// Credential = accessKey + "/"+ scope
// where scope = string.Join([]string{ currTime.Format(yyyymmdd),
// "us-east-1",
// "s3",
// "aws4_request",
// },"/")
func TestParseCredentialHeader(t *testing.T) {
sampleTimeStr := time.Now().UTC().Format(yyyymmdd)
testCases := []struct {
inputCredentialStr string
expectedCredentials credentialHeader
expectedErrCode APIErrorCode
}{
// Test Case - 1.
// Test case with no '=' in te inputCredentialStr.
{
inputCredentialStr: "Credential",
expectedCredentials: credentialHeader{},
expectedErrCode: ErrMissingFields,
},
// Test Case - 2.
// Test case with no "Credential" string in te inputCredentialStr.
{
inputCredentialStr: "Cred=",
expectedCredentials: credentialHeader{},
expectedErrCode: ErrMissingCredTag,
},
// Test Case - 3.
// Test case with malformed credentials.
{
inputCredentialStr: "Credential=abc",
expectedCredentials: credentialHeader{},
expectedErrCode: ErrCredMalformed,
},
// Test Case - 4.
// Test case with malformed AccessKey.
{
inputCredentialStr: generateCredentialStr(
"^#@..!23",
time.Now().UTC().Format(yyyymmdd),
"ABCD",
"ABCD",
"ABCD"),
expectedCredentials: credentialHeader{},
expectedErrCode: ErrInvalidAccessKeyID,
},
// Test Case - 5.
// Test case with invalid date format date.
// a valid date format for credentials is "yyyymmdd".
{
inputCredentialStr: generateCredentialStr(
"Z7IXGOO6BZ0REAN1Q26I",
time.Now().UTC().String(),
"ABCD",
"ABCD",
"ABCD"),
expectedCredentials: credentialHeader{},
expectedErrCode: ErrMalformedDate,
},
// Test Case - 6.
// Test case with invalid region.
// region should a non empty string.
{
inputCredentialStr: generateCredentialStr(
"Z7IXGOO6BZ0REAN1Q26I",
time.Now().UTC().Format(yyyymmdd),
"",
"ABCD",
"ABCD"),
expectedCredentials: credentialHeader{},
expectedErrCode: ErrInvalidRegion,
},
// Test Case - 7.
// Test case with invalid service.
// "s3" is the valid service string.
{
inputCredentialStr: generateCredentialStr(
"Z7IXGOO6BZ0REAN1Q26I",
time.Now().UTC().Format(yyyymmdd),
"us-west-1",
"ABCD",
"ABCD"),
expectedCredentials: credentialHeader{},
expectedErrCode: ErrInvalidService,
},
// Test Case - 8.
// Test case with invalid request version.
// "aws4_request" is the valid request version.
{
inputCredentialStr: generateCredentialStr(
"Z7IXGOO6BZ0REAN1Q26I",
time.Now().UTC().Format(yyyymmdd),
"us-west-1",
"s3",
"ABCD"),
expectedCredentials: credentialHeader{},
expectedErrCode: ErrInvalidRequestVersion,
},
// Test Case - 9.
// Test case with right inputs. Expected to return a valid CredentialHeader.
// "aws4_request" is the valid request version.
{
inputCredentialStr: generateCredentialStr(
"Z7IXGOO6BZ0REAN1Q26I",
sampleTimeStr,
"us-west-1",
"s3",
"aws4_request"),
expectedCredentials: generateCredentials(
t,
"Z7IXGOO6BZ0REAN1Q26I",
sampleTimeStr,
"us-west-1",
"s3",
"aws4_request"),
expectedErrCode: ErrNone,
},
}
for i, testCase := range testCases {
actualCredential, actualErrCode := parseCredentialHeader(testCase.inputCredentialStr)
// validating the credential fields.
if testCase.expectedErrCode != actualErrCode {
t.Fatalf("Test %d: Expected the APIErrCode to be %d, got %d", i+1, testCase.expectedErrCode, actualErrCode)
}
if actualErrCode == ErrNone {
validateCredentialfields(t, i+1, testCase.expectedCredentials, actualCredential)
}
}
}
// TestParseSignature - validates the logic for extracting the signature string.
func TestParseSignature(t *testing.T) {
testCases := []struct {
inputSignElement string
expectedSignStr string
expectedErrCode APIErrorCode
}{
// Test case - 1.
// SignElemenet doesn't have 2 parts on an attempt to split at '='.
// ErrMissingFields expected.
{
inputSignElement: "Signature",
expectedSignStr: "",
expectedErrCode: ErrMissingFields,
},
// Test case - 2.
// SignElemenet with missing "SignatureTag",ErrMissingSignTag expected.
{
inputSignElement: "Sign=",
expectedSignStr: "",
expectedErrCode: ErrMissingSignTag,
},
// Test case - 3.
// Test case with valid inputs.
{
inputSignElement: "Signature=abcd",
expectedSignStr: "abcd",
expectedErrCode: ErrNone,
},
}
for i, testCase := range testCases {
actualSignStr, actualErrCode := parseSignature(testCase.inputSignElement)
if testCase.expectedErrCode != actualErrCode {
t.Fatalf("Test %d: Expected the APIErrCode to be %d, got %d", i+1, testCase.expectedErrCode, actualErrCode)
}
if actualErrCode == ErrNone {
if testCase.expectedSignStr != actualSignStr {
t.Errorf("Test %d: Expected the result to be \"%s\", but got \"%s\". ", i+1, testCase.expectedSignStr, actualSignStr)
}
}
}
}
// TestParseSignedHeaders - validates the logic for extracting the signature string.
func TestParseSignedHeaders(t *testing.T) {
testCases := []struct {
inputSignElement string
expectedSignedHeaders []string
expectedErrCode APIErrorCode
}{
// Test case - 1.
// SignElemenet doesn't have 2 parts on an attempt to split at '='.
// ErrMissingFields expected.
{
inputSignElement: "SignedHeaders",
expectedSignedHeaders: nil,
expectedErrCode: ErrMissingFields,
},
// Test case - 2.
// SignElemenet with missing "SigHeaderTag",ErrMissingSignHeadersTag expected.
{
inputSignElement: "Sign=",
expectedSignedHeaders: nil,
expectedErrCode: ErrMissingSignHeadersTag,
},
// Test case - 3.
// Test case with valid inputs.
{
inputSignElement: "SignedHeaders=host;x-amz-content-sha256;x-amz-date",
expectedSignedHeaders: []string{"host", "x-amz-content-sha256", "x-amz-date"},
expectedErrCode: ErrNone,
},
}
for i, testCase := range testCases {
actualSignedHeaders, actualErrCode := parseSignedHeaders(testCase.inputSignElement)
if testCase.expectedErrCode != actualErrCode {
t.Errorf("Test %d: Expected the APIErrCode to be %d, got %d", i+1, testCase.expectedErrCode, actualErrCode)
}
if actualErrCode == ErrNone {
if strings.Join(testCase.expectedSignedHeaders, ",") != strings.Join(actualSignedHeaders, ",") {
t.Errorf("Test %d: Expected the result to be \"%v\", but got \"%v\". ", i+1, testCase.expectedSignedHeaders, actualSignedHeaders)
}
}
}
}
// TestParseSignV4 - Tests Parsing of v4 signature form the authorization string.
func TestParseSignV4(t *testing.T) {
sampleTimeStr := time.Now().UTC().Format(yyyymmdd)
testCases := []struct {
inputV4AuthStr string
expectedAuthField signValues
expectedErrCode APIErrorCode
}{
// Test case - 1.
// Test case with empty auth string.
{
inputV4AuthStr: "",
expectedAuthField: signValues{},
expectedErrCode: ErrAuthHeaderEmpty,
},
// Test case - 2.
// Test case with no sign v4 Algorithm prefix.
// A valid authorization string should begin(prefix)
{
inputV4AuthStr: "no-singv4AlgorithmPrefix",
expectedAuthField: signValues{},
expectedErrCode: ErrSignatureVersionNotSupported,
},
// Test case - 3.
// Test case with missing fields.
// A valid authorization string should have 3 fields.
{
inputV4AuthStr: signV4Algorithm,
expectedAuthField: signValues{},
expectedErrCode: ErrMissingFields,
},
// Test case - 4.
// Test case with invalid credential field.
{
inputV4AuthStr: signV4Algorithm + " Cred=,a,b",
expectedAuthField: signValues{},
expectedErrCode: ErrMissingCredTag,
},
// Test case - 5.
// Auth field with missing "SigHeaderTag",ErrMissingSignHeadersTag expected.
// A vaild credential is generated.
// Test case with invalid credential field.
{
inputV4AuthStr: signV4Algorithm +
strings.Join([]string{
// generating a valid credential field.
generateCredentialStr(
"Z7IXGOO6BZ0REAN1Q26I",
sampleTimeStr,
"us-west-1",
"s3",
"aws4_request"),
// Incorrect SignedHeader field.
"SignIncorrectHeader=",
"b",
}, ","),
expectedAuthField: signValues{},
expectedErrCode: ErrMissingSignHeadersTag,
},
// Test case - 5.
// Auth string with missing "SignatureTag",ErrMissingSignTag expected.
// A vaild credential is generated.
// Test case with invalid credential field.
{
inputV4AuthStr: signV4Algorithm +
strings.Join([]string{
// generating a valid credential.
generateCredentialStr(
"Z7IXGOO6BZ0REAN1Q26I",
sampleTimeStr,
"us-west-1",
"s3",
"aws4_request"),
// valid SignedHeader.
"SignedHeaders=host;x-amz-content-sha256;x-amz-date",
// invalid Signature field.
// a valid signature is of form "Signature="
"Sign=",
}, ","),
expectedAuthField: signValues{},
expectedErrCode: ErrMissingSignTag,
},
{
inputV4AuthStr: signV4Algorithm +
strings.Join([]string{
// generating a valid credential.
generateCredentialStr(
"Z7IXGOO6BZ0REAN1Q26I",
sampleTimeStr,
"us-west-1",
"s3",
"aws4_request"),
// valid SignedHeader.
"SignedHeaders=host;x-amz-content-sha256;x-amz-date",
// valid Signature field.
// a valid signature is of form "Signature="
"Signature=abcd",
}, ","),
expectedAuthField: signValues{
Credential: generateCredentials(
t,
"Z7IXGOO6BZ0REAN1Q26I",
sampleTimeStr,
"us-west-1",
"s3",
"aws4_request"),
SignedHeaders: []string{"host", "x-amz-content-sha256", "x-amz-date"},
Signature: "abcd",
},
expectedErrCode: ErrNone,
},
}
for i, testCase := range testCases {
parsedAuthField, actualErrCode := parseSignV4(testCase.inputV4AuthStr)
if testCase.expectedErrCode != actualErrCode {
t.Fatalf("Test %d: Expected the APIErrCode to be %d, got %d", i+1, testCase.expectedErrCode, actualErrCode)
}
if actualErrCode == ErrNone {
// validating the extracted/parsed credential fields.
validateCredentialfields(t, i+1, testCase.expectedAuthField.Credential, parsedAuthField.Credential)
// validating the extraction/parsing of signature field.
if testCase.expectedAuthField.Signature != parsedAuthField.Signature {
t.Errorf("Test %d: Parsed Signature field mismatch: Expected \"%s\", got \"%s\"", i+1, testCase.expectedAuthField.Signature, parsedAuthField.Signature)
}
// validating the extracted signed headers.
if strings.Join(testCase.expectedAuthField.SignedHeaders, ",") != strings.Join(parsedAuthField.SignedHeaders, ",") {
t.Errorf("Test %d: Expected the result to be \"%v\", but got \"%v\". ", i+1, testCase.expectedAuthField, parsedAuthField.SignedHeaders)
}
}
}
}